Re: [Rats] use case document updates on Roots of Trust
Ira McDonald <blueroofmusic@gmail.com> Mon, 09 September 2019 23:20 UTC
Return-Path: <blueroofmusic@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29BF91200E3 for <rats@ietfa.amsl.com>; Mon, 9 Sep 2019 16:20:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pm2T2xLeHf8l for <rats@ietfa.amsl.com>; Mon, 9 Sep 2019 16:20:13 -0700 (PDT)
Received: from mail-yw1-xc41.google.com (mail-yw1-xc41.google.com [IPv6:2607:f8b0:4864:20::c41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFCA6120020 for <rats@ietf.org>; Mon, 9 Sep 2019 16:20:13 -0700 (PDT)
Received: by mail-yw1-xc41.google.com with SMTP id f187so5582625ywa.5 for <rats@ietf.org>; Mon, 09 Sep 2019 16:20:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IBs1IObg6tG60TD/Vo5FAIihqeO3LnGKQJ7xxlIUIno=; b=fUDXrGXdT23ZBDXgBZj/WKq/X7xDbF8gLDOjAdejL7HQlAbPr0lDbHH799Mqh5W/OS p55DtP3WdfLpMYfRtIY0E2GbNuHEW0zkBIbbPpcI0vqRCJs89ewOYjHlE62D1ojV9ITb g2Yt+5aGKOaLAtc16h1uitZ8wjo3KQuwj6ZbtYsWSA5Se5IE6GXBeMi8XZOWtQJeBvk3 YBDhNjzlKpRuS3OMBMpQRgcoH7gfOvzxOaiTTAiN1fjvs+Mr26CwBWilwXq2+bHXuekz xixE/q1pckpiJkGskHjX5ogDn5F/9q0EE+PBzBUKZyu4dS85b+NyRvKj4OVG+CiSGnxs d3dA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IBs1IObg6tG60TD/Vo5FAIihqeO3LnGKQJ7xxlIUIno=; b=Zh6tZAJjuZFkUnHir0sBYZuVszk98RrysRqKbJmO0nrr+Pd5g6QtVo42+DN8W3tXVq jHlA/jHqGi711r3tORuOSFsQPwSz3n1R4RpXKHa34OWlIf+JhFzx/mWabinftLZdf9DS P3OEvjlCLjUrOzYQjNWVHUd5HT3Yij3vbmQgbRhWYDg/f72gpIdp+exBSxPdAU6mU1xO mbOYHlW82xEGloFc72z01GStHYPQLhXCXnECXvUbBieCLt17l/BSgZ+V8hLwstX1Ywi6 HQq5mJruFin99QICQkr7Jt8XRE82tigZnipL6vd3CXcyBJaidZWKCFh6z7xpA365pFZg xfDg==
X-Gm-Message-State: APjAAAWDXhMeXYe35u2Iyn9J9P+G+jjOYBT39dzNdZB6elt5l6TaO7kR /vsnAENNotRyIruqjStPk5hl5bLxfQM/5Zto7io=
X-Google-Smtp-Source: APXvYqztv5L8mlb1v7u+vyr2r0moVjDeT6wq3O4SuoEdbhcv17kcYuyqGu5ulmstbEXU5s5OzdwnK6/fnnemt0gbwGM=
X-Received: by 2002:a81:3e17:: with SMTP id l23mr19443316ywa.312.1568071212902; Mon, 09 Sep 2019 16:20:12 -0700 (PDT)
MIME-Version: 1.0
References: <4155.1567948986@dooku.sandelman.ca> <64BD12AA-951A-468A-9F08-D442054605AD@island-resort.com> <de6ff852-062d-805d-3eed-10aca60502b2@sit.fraunhofer.de>
In-Reply-To: <de6ff852-062d-805d-3eed-10aca60502b2@sit.fraunhofer.de>
From: Ira McDonald <blueroofmusic@gmail.com>
Date: Mon, 09 Sep 2019 19:20:02 -0400
Message-ID: <CAN40gStH5jUCJeVggREr3ABoFw7K97F=KtoJOSR_X+LWNLB+JA@mail.gmail.com>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, Ira McDonald <blueroofmusic@gmail.com>
Cc: rats@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a0afe405922707d5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/tjs9tJsGcNPmJcYbRy60MzKHyns>
Subject: Re: [Rats] use case document updates on Roots of Trust
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2019 23:20:18 -0000
Hi, Chiming in here. The TCG is neither the originator of the term "Root of Trust", nor a particularly good source for RoT definitions. One might look at this US NIST project on Roots of Trust: https://csrc.nist.gov/Projects/Hardware-Roots-of-Trust/publications And especially this SP800-164 document: https://csrc.nist.gov/publications/detail/sp/800-164/draft Cheers, - Ira Ira McDonald (Musician / Software Architect) Co-Chair - TCG Trusted Mobility Solutions WG Co-Chair - TCG Metadata Access Protocol SG Chair - Linux Foundation Open Printing WG Secretary - IEEE-ISTO Printer Working Group Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG IETF Designated Expert - IPP & Printer MIB Blue Roof Music / High North Inc http://sites.google.com/site/blueroofmusic http://sites.google.com/site/highnorthinc mailto: blueroofmusic@gmail.com PO Box 221 Grand Marais, MI 49839 906-494-2434 On Mon, Sep 9, 2019 at 6:49 PM Henk Birkholz < henk.birkholz@sit.fraunhofer.de> wrote: > Hi all, > > wrt the topic of "roots of trust", on the list a very visible concern > was highlighted: "the definition [of RoT] defines what they are -not- > and not what it actually -are-". And I am inclined to agree with that. > > My initial and unpolished proposal is this: > > "If" we use the spectrum of meanings what "roots of trust" are in RATS, > we probably have to do two things: > > 1.) We maybe should highlight that "Roots of Trust" are a demarcation > line. There are system components or system components characteristics > (aka "Claims" that are composed into "Evidence" about "Trustworthiness") > that an Attester cannot create Evidence about only by itself. It is the > "rock bottom" that an Attester cannot attest to (because, quoting: > "their misbehavior cannot be detected"). While that being very true, it > seems not to be enough of a reason to just exclude them conceptually. > > Hence, the only established procedure to "deal" with these roots of > trust is a third's party endorsement. The consumer of attestation > results is at its own liberty to put trust into these third party's > endorsements - or not. > > It is an optional Claim Set, typically provided in the form of > Endorsement Certificates (but there surely are other ways). And these > methods might simply not be available to an Attester. And if that i that > case that MUST not be a blocker, especially wrt to the RATS architecture. > > I.e. in RATS these Claims about RoT (Endorsements) should be purely > optional. The architecture should allow to include them. But by any > means, there should not be prescriptive or a normative MUSTs to provide > them. > > If an Attester is able to provide or refer to such an endorsements of a > system components capabilities, it should be able to do so. If an > Attester is not able to provide such third party endorsements, that > should not be a blocker to conducts RATS. The benefit of having the > option to provide them is to fuel a framework about "levels of > confidence" that most likely is out of scope of IETF definitions, but > would enable other entities to fill that gap in. > > 2.) I am proposing that the RATS WG puts some effort in defining what > "roots of trust" actually do (and not only what they cannot do). That > would help to create an understanding what they actually mean - a lot. > And - I think that is important - that might not have to be part of the > architecture document. Maybe it is an Appendix of it, maybe it is an > informational draft that complements the architecture document, or this > content goes alongside with solutions drafts. We don't know yet, I think. > > TL;DR > > Roots of Trust are relevant. But their upcoming definition and use > should not stop us from progressing essential corner stone drafts, today. > > My understanding is that some use cases really require them, and other > use cases don't. Neither am I inclined to include them in the > architecture draft and over-complicate elegant solutions, such as EAT, > nor am I inclined to exclude them and thereby inhibit established > solution, such as RIV. > > There is some middle ground here, I think. My proposal is to neither > disregard the system components an Attester is not able to create > Evidence for by itself, nor to mandate that an Attester can only create > believable Evidence, if RoT are available. Both options should be > enabled by the RATS architecture, I think. > > Viele Grüße, > > Henk > > > On 09.09.19 22:56, Laurence Lundblade wrote: > > Appreciate you wading into this with something written and concrete. > > > > As a thought experiment consider adding this to our RATS definition: > > > > A root of trust may also be a simple unsecured user mode > > application, like an Android, Windows or Linux application that > > trust has been placed in by a particular attestation system. It is > > provisioned with a signing key or such and other capabilities so as > > to be able to produce attestation evidence (e.g. signed tokens). > > The application may or may not be signed or authenticated. > > > > In a sense, the usual definition of root of trust applies in that it > > is something that is unconditionally trusted. In another sense, this > > is at odds with the usual conception as it is not anchored in HW or > > to any kind of system or boot SW. > > > > I assuming this addition is too much at odds with the convention usage > > and there is no support for RATS adopting this definition. This is one > > of the main reasons I am asking we not use the term normatively. > > > > LL > > > > > >> On Sep 8, 2019, at 6:23 AM, Michael Richardson <mcr+ietf@sandelman.ca > >> <mailto:mcr+ietf@sandelman.ca>> wrote: > >> > >> > >> We seem to have regular email disputes on terms like Roots of Trust. > >> I continue to have difficulty with the term. Particularly in the plural > >> "Roots" form. > >> As I process edits to the use case document, I got a bunch of text: > >> > >> The TCG Glossary also offers a general definition for Root of Trust “A > >> component that performs one or more security-specific functions, such > as > >> measurement, storage, reporting, verification, and/or update. It is > >> trusted > >> always to behave in the expected manner, because its misbehavior > >> cannot be > >> detected (such as by measurement) under normal operation. “ > >> > >> {I personally find it very difficult to understand the words as other > >> than an > >> alias for Trust Anchor, yet it clearly is something else. It's hard > >> to make > >> my neurons pull up a different meaning. This is probably something that > >> every RATS document should say clearly upon first using the term, in > >> order to > >> ease the impedence mis-match with IETF readers as we get reviews} > >> > >> I have included not just Ned Smith's comments about the term Roots of > >> Trust, > >> but his survey of the various origins of the term. I'm sure that this > >> belongs somewhere else. > >> > >> That diff is here: > >> > https://ietf.org/rfcdiff?url1=draft-richardson-rats-usecases-04&url2=https://ietf-rats-wg.github.io/ietf-rats-usecases/draft-richardson-rats-usecases.txt > >> > >> and commit is: > >> > https://github.com/ietf-rats-wg/ietf-rats-usecases/commit/7386e8c0df11ece66e3c95f85d141a639d440e12 > >> > >> > >> -- > >> Michael Richardson <mcr+IETF@sandelman.ca > >> <mailto:mcr+IETF@sandelman.ca>>, Sandelman Software Works > >> -= IPv6 IoT consulting =- > >> > >> > >> > >> _______________________________________________ > >> RATS mailing list > >> RATS@ietf.org <mailto:RATS@ietf.org> > >> https://www.ietf.org/mailman/listinfo/rats > > > > > > _______________________________________________ > > RATS mailing list > > RATS@ietf.org > > https://www.ietf.org/mailman/listinfo/rats > > > > _______________________________________________ > RATS mailing list > RATS@ietf.org > https://www.ietf.org/mailman/listinfo/rats >
- [Rats] use case document updates on Roots of Trust Michael Richardson
- Re: [Rats] use case document updates on Roots of … Laurence Lundblade
- Re: [Rats] use case document updates on Roots of … Henk Birkholz
- Re: [Rats] use case document updates on Roots of … Ira McDonald
- Re: [Rats] use case document updates on Roots of … Ira McDonald
- Re: [Rats] use case document updates on Roots of … Smith, Ned
- Re: [Rats] use case document updates on Roots of … Ira McDonald
- Re: [Rats] use case document updates on Roots of … Henk Birkholz
- Re: [Rats] use case document updates on Roots of … Smith, Ned
- Re: [Rats] use case document updates on Roots of … Henk Birkholz
- Re: [Rats] use case document updates on Roots of … Michael Richardson
- Re: [Rats] use case document updates on Roots of … Salz, Rich
- Re: [Rats] use case document updates on Roots of … Carl Wallace
- Re: [Rats] use case document updates on Roots of … Henk Birkholz
- Re: [Rats] use case document updates on Roots of … Laurence Lundblade
- Re: [Rats] use case document updates on Roots of … Jeremy O'Donoghue
- Re: [Rats] use case document updates on Roots of … Salz, Rich
- Re: [Rats] use case document updates on Roots of … Carl Wallace
- Re: [Rats] use case document updates on Roots of … Michael Richardson
- Re: [Rats] use case document updates on Roots of … Michael Richardson
- Re: [Rats] use case document updates on Roots of … Michael Richardson
- [Rats] 答复: use case document updates on Roots of … Xialiang (Frank, Network Standard & Patent Dept)
- Re: [Rats] 答复: use case document updates on Roots… Carl Wallace
- [Rats] 答复: 答复: use case document updates on Roots… Xialiang (Frank, Network Standard & Patent Dept)